At a glance.
- Tightening up US Federal civilian agencies' cybersecurity.
- IoT security bill clears the US Senate.
- Point-of-sale lawsuit has precedent-setting potential.
- Brandon Wales will serve as CISA's interim director.
Closing a Federal cybersecurity loophole.
Yesterday US Representative Underwood (Democrat, Illinois 14th) and Senator Wyden (Democrat of Oregon) introduced the Federal Cybersecurity Oversight Act of 2020, FCW reports, to enhance existing requirements for Federal civilian agencies (including but not limited to the Department of Justice and the Department of Homeland Security). A 2015 law instituting cybersecurity standards allows agencies to grant themselves open-ended exemptions, or waivers. The new legislation would give the Office of Management and Budget the power to grant one-year waivers for non-essential and “excessively burdensome” rules, and would compel organizations to report their waivers to Congress and estimate when they will no longer be necessary. Senator Wyden said the bill "would prevent civilian agencies from punting cybersecurity down the road indefinitely."
Reining in the fridge and printer: the US Senate passes IoT security bill.
The bipartisan IoT Cybersecurity Improvement Act, first introduced three years ago, has cleared the Senate and is awaiting President Trump’s signature, says SecurityWeek. The bill directs NIST to publish IoT safety criteria covering “development, patching, and identity and configuration management” and requires the Government to purchase only devices meeting said standards. It also smooths the process for addressing vulnerabilities. Senator Gardner (Republican of Colorado) commented, “Most experts expect tens of billions of devices operating on our networks within the next several years…they continue to transform our society and add countless new entry points into our networks.” The legislation found support in a number of large tech firms like Mozilla and Cloudfare.
Wawa suit could trigger “seismic shift” in point-of-sale blame game.
Convenience store Wawa’s use of swiped stripes instead of dipped chips at the point of sale allegedly cost credit unions tens of millions following a 2019 malware breach affecting “most” locations, according to an essay in The National Law Review. Historically, retailers are several steps removed from assuming the costs of fraud, and Wawa is arguing that contracts and precedent are on its side. The unions maintain that some precedent is on their side, however, and Wawa neglected its common law duty and duty of care by not following the Payment Card Industry Data Security Standard (PCI DSS), in a bid to redefine the threshold and mechanisms for retailer liability.
Should the credit issuers prove victorious, Wawa may have to foot the bill and upgrade its encryption. More significantly, the PCI DSS could become the new standard of care, forcing the seventy percent of organizations that don’t currently follow its rules to adapt. Since FTC-reported fraud has increased one-thousand percent over the past two decades, the outcome could generate seismic waves.
CISA has an interim director.
The US Cybersecurity and Infrastructure Security Agency (CISA) has yet to update its leadership page, but multiple reports (see, for example, POLITICO and CyberScoop) say that CISA’s Executive Director, Brandon Wales will lead the agency on an interim basis. Director Wales joined the Department of Homeland Security in 2005 and has served there ever since, most recently as a senior career executive and CISA’s third-ranking official. His interim appointment is generally regarded as auguring more continuity than change.